Attachment: PDF with credential theft language and invalid reply-to domain

calendar Apr 10, 2026  ·
Share on: linkedin copy

Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with credential theft language and invalid reply-to domain"
 2description: "Detects PDF attachments containing high-confidence credential theft language that references the recipient's email address, combined with an invalid reply-to domain header."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(recipients.to) == 1
 8  and recipients.to[0].email.domain.valid
 9  and any(headers.reply_to, .email.email == "")
10  and any(attachments,
11          .file_type == 'pdf'
12          and any(file.explode(.),
13                  any(ml.nlu_classifier(.scan.strings.raw).intents,
14                      .name == 'cred_theft' and .confidence == 'high'
15                  )
16                  and strings.icontains(.scan.strings.raw,
17                                        recipients.to[0].email.email
18                  )
19          )
20  )
21  // negate highly trusted sender domains unless they fail DMARC authentication or DMARC is missing
22  and not (
23    sender.email.domain.root_domain in $high_trust_sender_root_domains
24    and coalesce(headers.auth_summary.dmarc.pass, false)
25  )  
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "PDF"
30  - "Social engineering"
31  - "Spoofing"
32detection_methods:
33  - "File analysis"
34  - "Header analysis"
35  - "Natural Language Understanding"
36  - "Content analysis"
37id: "52e54b5d-940f-5b54-b175-0a55f2a44fa2"
to-top